Activity Feed
- Posted Re: Salesforce UserLicense Events on Splunk Search. a week ago
- Karma Re: Salesforce UserLicense Events for livehybrid. a week ago
- Posted Salesforce UserLicense Events on Splunk Search. 2 weeks ago
- Posted Lost AWS events after ingestion on Getting Data In. 09-12-2024 01:51 AM
- Posted Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Tagged Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Tagged Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Got Karma for Push notifications stopped working. 05-23-2024 07:52 AM
- Karma Re: Push notifications stopped working for Ahmeed. 05-23-2024 07:49 AM
- Posted Push notifications stopped working on Monitoring Splunk. 05-21-2024 07:16 AM
- Posted Re: Subtract total values of 2 fields on Splunk Search. 09-28-2023 08:06 AM
- Posted Re: Subtract total values of 2 fields on Splunk Search. 09-28-2023 04:53 AM
- Karma Re: Subtract total values of 2 fields for ITWhisperer. 09-28-2023 04:51 AM
- Posted Re: Subtract total values of 2 fields on Splunk Search. 09-27-2023 08:38 AM
- Karma Re: Subtract total values of 2 fields for ITWhisperer. 09-27-2023 03:02 AM
- Posted How to subtract total values of 2 fields in a dashboard? on Splunk Search. 09-27-2023 12:51 AM
- Posted Why does the rising number not match the batch number? on All Apps and Add-ons. 06-06-2023 04:46 AM
- Karma Re: Create a field from values with the source field for vsommer. 03-30-2023 12:34 AM
- Karma Re: Create a field from values with the source field for gcusello. 03-30-2023 12:34 AM
- Posted How to create a field from values with the source field? on Getting Data In. 03-28-2023 08:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a week ago
Hi @livehybrid The interval is set to every 60 minutes and there are no errors logged against the internal index.
... View more
2 weeks ago
I have been using the Splunk Add on for Salesforce Add on for while now but i want to know if anyone else is using it and noticed if the number of events being ingesting has decreased? When i look back to December i could see i could see Splunk would ingest mutiple UserLicense events per day but now its one event every 4 days.
... View more
Labels
- Labels:
-
other
09-12-2024
01:51 AM
I am in the middle of a Splunk migration. One of the tasks is to moved data from some sourcetypes onto the new servers using the | collect index=aws sourcetype=* command.
The numbers added up after running checks. I run the same checks again a day later and the numbers no longer match up.
Source 1 ->
Old Splunk
New Splunk
Source 2 ->
Old Splunk
New Splunk
August
12,478,853
12,478,853
26,171,911
26,171,911
24 hours later
Source 1 ->
Old Splunk
New Splunk
Source 2 ->
Old Splunk
New Splunk
12,478,853
12,477,696
26,171,911
3,001,183
I've set the following stanza within the indexes.conf file on the deployment server. Also the index only contains 22gb of data. Can you help?
[aws]
coldPath = $SPLUNK_DB\$_index_name\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\$_index_name\db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB\$_index_name\thaweddb
frozenTimePeriodInSecs=94608000
... View more
06-25-2024
08:24 AM
We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user makes. Has anyone fulfilled a similar requirement? So far i have found a list of the following objects that could provide the information i need to see when a permission set is assigned to a user (https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionsetassignment.htm) but not sure how to track what changes that admin user makes. Can you help?
... View more
Labels
- Labels:
-
administration
05-21-2024
07:16 AM
1 Karma
Has anyone noticed the push notifications through the Splunk Mobile app has stopped working recently. We are using Spunk on prem, Splunk Secure Gateway set up with prod.spacebridge.spl.mobi set as the Gateway but I noticed the notifications stopped appearing on my home screen of when my iPhone was locked. Other colleagues using different devices are complaining of the same issue. I can't remember the exact date but it may have been around the 3rd May. No changes to our config have been made but i'd be interested to know if anyone else is having this issue.
... View more
Labels
- Labels:
-
splunkd
09-28-2023
08:06 AM
Thank you @ITWhisperer !! I've checked and its worked a treat as there are no duplicate propsals
... View more
09-28-2023
04:53 AM
Thank you and that has worked 👍 I've noticed we have got duplicates with our data. How can I dedup on PROPOSALNUMBER and PROPOSAL_NUMBER?
... View more
09-27-2023
08:38 AM
Thanks @ITWhisperer I can see the values in the query1 and query2 but count1 count2 diff are all showing as 0
... View more
09-27-2023
12:51 AM
Hi there,
I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help?
Query 1:
index=mssql sourcetype=SQL_Query source=Sales_Contracts_Activations* OR source=Sales_Contracts_Activations_BOM
Query 2:
index=mssql sourcetype=SQL_Query source=Esigns CALLBACK_STATUS="SUCCESS" STATUS=Complete
... View more
06-06-2023
04:46 AM
Hi there,
I am trying to get a rolling number whenever proposals get activated. I am able to execute the following SQL script which gets me a figure for proposals activated today using this:
select * from cr_managementinformation where activation_date >= '06-JUNE-23'
order by proposal_status
When I change the input type to Batch then i use this:
SELECT * FROM cr_managementinformation
WHERE PROPOSAL_NUMBER > ?
AND activation_date = TO_DATE(current_date)
ORDER BY PROPOSAL_NUMBER ASC
The rising number does not match the batch number. i.e. the batch number of activations today is 302 but the rising number is only 5.
Can you help?
... View more
Labels
03-28-2023
08:23 AM
I've created fields from regex expressions before but never from the source field.
This is an example of the value within the source field: \\host0000\Test\IT Information\ Data Files\Daily Reporting\Business Unit\
I would like to extract the business unit value and call it Business Unit.
I have access to create a props.conf file.
Can you help?
Kind regards,
Vishal
... View more
Labels
- Labels:
-
props.conf
03-24-2023
02:44 AM
Hi all,
I am getting data in via an API (using the add on builder) but having creating a regex which splits it into a better format rather than 1 big event. Here is an example of the event:
"@odata.context": "https://example-app-env.aa01.aaa.aaaa-ad/odata/$metadata#Jobs",
"@odata.count": 111,
"value": [
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
How i want it to look. Event 1
"@odata.context": "https://example-app-env.aa01.aaa.aaaa-ad/odata/$metadata#Jobs",
"@odata.count": 111,
"value": [
{
Event 2
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
Can you help?
... View more
Labels
- Labels:
-
props.conf
03-03-2023
05:06 AM
HI there,
I've created a multi select input called Source and the Data Configurations is set to a search and Use search results or job status as tokens is ticked (i've tried with this unticked).
The source filter shows the values I expect to see but nothing happens when I tick one or more of the options.
Not sure if the code below is relevant but I am adding it in case it helps
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "@d,now"
},
"title": "Global Time Range"
},
"input_OvTI7NW3": {
"options": {
"items": ">frame(label, value) | prepend(formattedStatics) | objects()",
"token": "ms_monMf0CU",
"defaultValue": ""
},
"title": "Source",
"type": "input.multiselect",
"dataSources": {
"primary": "ds_ESObVruQ"
},
"context": {
"formattedConfig": {
"number": {
"prefix": ""
}
},
... View more
Labels
- Labels:
-
chart
-
Dashboard Studio
02-03-2023
04:21 AM
Hi there, I am trying to ingest data which is stored within the profile of a user's AddData location: C:\Users\(User ID)\AppData\Local\UiPath\Logs but can't pull in any events. I've tried lots of different stanzas like [monitor://C:\Users\DKX*\AppData\ [monitor://C:\Users\DKX$\AppData\ [monitor://C:\Users\...\AppData\ [monitor://C:\Users\%userprofile%\AppData\ Any idea why it isn't working? I know i've not added in all my stanza attempts but could it be due to the Splunk service account not having access to that location?
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
12-29-2022
05:12 AM
Thanks @rrovers that has worked a treat 🙂
... View more
- Tags:
- thanks
12-29-2022
01:32 AM
Hi there, I have a search where I want to see where one date field is the same or starts before another but my search results only shows me events where both dates are the same, can you help? I am trying to find events which contains an end date that is before the created date. The data isn't create so a typical date entry would be 12112022 index=UAT sourcetype="Test_Txt_data" | eval end_date_epoch = strptime(end_date,"%d%m%Y") | eval created_date_epoch = strptime(created_date,"%d%m%Y") | where end_date_epoch <= created_date_epoch | eval end_date = strftime(end_date_epoch, "%d/%m/%Y"), created_date = strftime(created_date_epoch, "%d/%m/%Y") | table proposal, created_date, end_date
... View more
11-21-2022
07:00 AM
Thanks @yuanliu this has worked a treat! 😀
... View more
11-17-2022
06:23 AM
I have a simple search which is satisfaction_date=0 OR close_date=0 AND status=8 in the previous month. I now have a requirement where users want to see (last 30 days) where those records are now tagged with a different status. The unique identifier with each record is a proposal_id.
i.e in October proposal vdutta1 had a satisfaction date as 0 and status as 8. Proposal vdutta1 now has a satisfaction date as 0 and status as 6 so this record should be shown.
Can you help?
... View more
11-14-2022
03:11 AM
Hi @gcusello The week day alerts were working fine but I've applied 0, 6 to the weekend alerts so that should work now.
... View more
11-14-2022
12:50 AM
Hi there, I used to have a couple of alerts which worked using a crons expression from Monday to Saturday (*/15 7-19 * * 1-) and another for Sunday (*/15 10-15 * * 0). The requirements changed so I needed the Saturday and Sunday alert timings to be the same. I used (*/15 10-15 * * 6-7) but that didn't that didn't trigger an alert. I tried */15 10-15 * * SAT-SUN but it doesn't accept that format. Can you help me with a crons expression for Saturday and Sunday?
... View more
Labels
- Labels:
-
alert condition
-
cron
11-14-2022
12:44 AM
Hi @majilan1, I have a number of alerts based on something similar and this is the search I use. The search doesn't look at the D drive but you can always add in mount="D:". source="PerfmonMK:LogicalDisk" instance!= C: instance!=_Total %_Free_Space<10
... View more
11-09-2022
02:54 AM
Hi @gcusello I am implementing that to the existing datetime.xml file. Is this what i should add? </define> <define name="_masheddate2" extract="month, day, year"> <text><![CDATA[(?:^|mylogs_01-10-2022.log::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]></text> </define>
... View more
11-07-2022
05:12 AM
Hi @gcusello I would like to add the same fixed one for every event within the file which will be uploaded.
... View more
11-07-2022
03:54 AM
Thanks @gcusello I will do that. I can't rely on the created date of the file which i will re-upload? How can i specify the the timestamp as I have older data which needs to be uploaded. The method is to use the add data functionality and to upload the txt file to the specified index.
... View more
